fix: Correct test cases and audit commands for rh-1.8, cis-1.11, gke-1.8.0, and eks-1.7.0 benchmarks #1988
Conversation
amitk1sharma
changed the title
|
Hi @afdesk @mozillazg , Could you please review this PR when you get a chance? |
| - id: 4.1.7 | ||
| text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Manual)" | ||
| text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Automated)" | ||
| type: "manual" |
There was a problem hiding this comment.
is this type still manual?
There was a problem hiding this comment.
@afdesk Yes, it means we can't audit it by running a script.
| oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c '$i %n %U:%G' /host/etc/cni/net.d/*.conf" 2>/dev/null | ||
| oc exec -n openshift-multus $i -- /bin/bash -c "stat -c '$i %n %U:%G' /host/var/run/multus/cni/net.d/*.conf" 2>/dev/null | ||
| # Execute the stat command | ||
| oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c '$i %n %U:%G' /host/etc/cni/net.d/*.conf" 2>/dev/null |
There was a problem hiding this comment.
I misunderstood here: what is the$i variable? could you pls clarify it?
| compare: | ||
| op: eq | ||
| value: true | ||
| - flag: "true" |
There was a problem hiding this comment.
flag: "true" is a loose substring check, isnt it?
| oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | | ||
| grep cluster-admin | ||
| oc get clusterrolebindings -o=custom-columns="NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind" | grep cluster-admin | ||
| #To verity that kbueadmin is removed, no results should be returned |
There was a problem hiding this comment.
kbueadmin -> kubeadmin
could you pls fix this typo too?
|
@amitk1sharma thanks a lot for your efforts! |
|
@mozillazg @LaibaBareera Could you pls take a look at this great job too? |
mozillazg
left a comment
mozillazg
left a comment
There was a problem hiding this comment.
@amitk1sharma Thanks for your contribution! I don't have more comments. Please check the comments from @afdesk when you get a chance. Thanks!
| scored: true | ||
|
|
||
| - id: 2.2 | ||
| text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" |
| - id: 3.1.1 | ||
| text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)" | ||
| audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' | ||
| audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' |
| - id: 4.1.7 | ||
| text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Manual)" | ||
| text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Automated)" | ||
| type: "manual" |
There was a problem hiding this comment.
@afdesk Yes, it means we can't audit it by running a script.
4 participants
This PR fixes several test case inconsistencies and incorrect audit commands in the benchmark YAML files for:
rh-1.8
cis-1.11
gke-1.8.0
eks-1.7.0
Changes made:
Fixed incorrect test case names and descriptions
Updated audit commands
Adjusted scored values to align with CIS standards
Improved remediation steps for clarity
Verified validation paths for OCP, GKE, and EKS consistency
Associated Issue: Fixes #1993